Friday, March 26, 2010

Dan Gaskell is a Solicitor and Higher Courts Advocate with Tuckers Solicitors in the UK.

The Copyright Design and Patents Act 1988 (CDPA) was amended by Statutory Instrument on 31 October 2003 through the introduction of the Copyright and Related Rights Regulations 2003. The driving force behind this was an EC Directive and ought to have provided a consistent approach across the EC in respect of the issue of the modification of games consoles and what is or is not legal. The reality has seen quite a different approach being adopted in this country from the approach adopted in other member countries and in particular Italy, Spain and more recently France.

The Regulations extended section 296 of the CDPA and made it a criminal offence under s296ZB CDPA to, inter alia, manufacture, import, sell or advertise for sale devices, the primary purpose of which was to circumvent the Effective Technical Measures which are a security feature of games consoles manufactured by the likes of Sony, Microsoft and Nintendo. These devices are commonly known as modchips but take a number of different forms according to the technology in connection with which they are produced to function.

Since the introduction of the legislation a number of criminal Prosecutions have followed, the driving force behind which has been the Entertainment and Leisure Software Publishers Association (ELSPA) but it has only been in the last 12-18 months that the legislation has fully been tested to the point where certain conclusions can be reached as to what needs to be established to establish that criminal offences have been committed. In reaching certain conclusions however the Court of Appeal has nevertheless raised further issues for consideration in defending cases in the future...

Tuesday, March 23, 2010

In an ideal world, health care would cost nothing and medical tests and procedures would be without risk or discomfort to the patient. The fact that the world is not ideal is one reason why health care reform is one of the top political issues in the United States at the moment. Medical tests can be costly, invasive and potentially life threatening to the patient and, for those reasons, the skillful practice of medicine involves the judicious use of testing which balances all of the costs against the likely benefits.

Patient care does not always involve certainty. In many cases, the health care practitioner (HCP) is forced to deal with likelihoods and probabilities on the path to certainty and, in rare instances, certainty may never be achieved. The absence of certainty is not always a barrier to treatment and response to treatment can be a step toward definitive diagnosis but, like medical tests, treatments can have their risks and the decision to treat must weigh these risks against the likelihood that the presumptive diagnosis is correct. To address the issues of uncertainty, cost, risk and benefits, HCPs employ, whether explicitly or implicitly, a collection of heuristics which provide guidance in the selection of tests and the determination of treatments. That a similar set of heuristics can, will, and in some cases, must guide the practice of digital forensics I hope to demonstrate by what follows.

Traditionally, computer forensics begins with the seizure of all possible evidence then test, test, test until either you find something or you decide that there is nothing to be found. To paraphrase an example attributed to Rob Lee, this is like doing an autopsy as the first step in a medical examination.

This is a luxury which may become the exception rather than the norm for digital forensic (DF) examinations in the future. The ubiquity of personal, portable, storage devices, the sheer volume of storage available on even the smallest of digital devices and the costly and invasive nature of indiscriminate requests for the bit for bit copy are all issues with which US courts and DF examiners have grappled. Simple techniques for hiding data and obfuscating user activities are readily available and widely known though less widely used, although I expect the latter to change as threats to privacy become greater. The Internet and the proliferation of social networking, peer to peer file sharing and other technologies have the potential to put much of the evidence outside the grasp of the traditional forensic investigator where, again, privacy concerns may limit the courses of action in civil matters.

Increasingly, DF practice is likely to parallel the process of medical diagnosis in key aspects...

Monday, March 22, 2010

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

In this series of articles I hope to explore some of the issues in forensic computing from an academic perspective, which will hopefully complement the perspectives from other columnists in the corporate, legal and software development fields.

In this first article it seemed sensible to start at the beginning and discuss something that may seem trivial but does have several implications, both practical and philosophical, and is not just an argument about semantics. This issue is what is this field that we work in actually called?

The field of acquiring, analysing and presenting digital evidence goes by several names: in the case of our MSc the term 'Forensic Computing' is used, but this is one of many. Browsing through a list of available courses in this area (recently compiled by Forensic Focus) reveals a number of other names including 'Computer Forensics', 'Digital Forensics', and 'Cybercrime Forensics'.

Are there any differences between what the courses offer? Almost certainly yes, but are the courses named differently in order to reflect different content? I suspect not. This is just one example of a common issue - uncertainty about what the field is called, if it is indeed one field. The remainder of this article describes some of the various names that are used for the field, followed by a discussion of some of the issues that occur as a result of a lack of unity as far as naming is concerned, largely from an academic perspective. Finally, it will be argued that this is actually a small symptom of a broader issue.

So what are the different terms that are in use and is there anything wrong with any of them? The term 'Computer Forensics' is widely used but as Eoghan Casey points out in Digital Evidence and Computer Crime, this is "a syntactical mess that uses the noun computer as an adjective and the adjective forensic as a noun". So, 'Computer Forensics' is poor use of the English language, and while many people may not have an issue with this, it should probably not be used...

Saturday, March 20, 2010

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Forensics and Information Security make for strange bedfellows - they sit on the opposite sides of the same coin, and although I have a strong belief that a fundamental knowledge of one is almost a prerequisite for success in the other, they don't half make each other's lives difficult!

I'm privileged to have been asked to write here, on a regular basis no less (!), and I'm very conscious that I'm writing from that opposite side - the one that makes sure that information doesn't leave the secure systems that it's been put on. Full disclosure is a fine concept, but it needs to be executed with a little finesse, so I'll try to be careful.

In any case, this month I'm on safe ground - no encryption, plausible deniability or anonymous browsing - today we are going to talk about ISO Standards. OK, anybody still reading? Fine, I accept that it's not the world's most exciting or sexy subject, however in the UK at least, it is something that has become very much more important as there are moves to enforce compliance with ISO 17025 for forensic labs. The ISO relates to the "General requirements for the competence of testing and calibration laboratories", and is, like so many other ISO standards, a specific extension of ISO 9001, the Quality Management standard. (Personally, I think that all labs should comply with the Information Security Standard ISO 27001 - with all of the critical, confidential and important data kicking around - it seems logical to me, not to mention more personally relevant.)

The standard has been taken on board by the Forensic Science Regulator, Andrew Rennison (http://police.homeoffice.gov.uk/operational-policing/forensic-science-regulator/index.html) who has been working on ensuring that UK labs do meet certain basic standards. He's taken care to engage well with the Digital Forensics community, taking advice from a Specialist Group made up of significant digital forensics leaders in the UK and also engaging with the wider community in the form of workshops and conferences. At the moment there is a tender out for the development of a framework interpreting ISO 17025 as it applies to specific subject areas - and, although digital forensics isn't explicitly mentioned - with crimes related to computers being measured in the millions, it will have to be...

Friday, March 19, 2010

Working late on a Thursday night in an otherwise pretty empty building, I pause for a moment while the debugger is stopped at a breakpoint. I am thinking of the big difference between doing it right and just making it work. Often, this subtle difference cannot be easily seen by the users.

Computer forensics has been a fascinating field to me, ever since I started working as a developer on one of the world's leading forensic products in 2001. Forensic grade software is very unique and different from many other types of software. Having worked on embedded crypto software, video games, real-time animation and motion capture makes me very aware of this disparity. In addition to the usual issues with delivering complex applications, there are several other unique items to contend with. As an example, I have to be aware of forensic methodologies like data acquisition, the internals of file systems and disk formats and the internals of operating systems. Also, I have to assume that any data can be corrupt at any point, and therefore not act the same as properly formatted data.

Robustness is not the only issue. Memory usage, processing speed, data quantity and data quality are also important. In order to write code that will fulfill all of these needs, some research is needed. This research sometimes leads to highly interesting forensic finds like the ObjectIDs on NTFS file systems (I will write about this in an upcoming article). Any research and the intricacies of the implementation also need to be documented. Aside from documentation, I work with many other departments; Quality Assurance, Technical Services and fellow application developers, sometimes debugging a crash, updating our bug tracking system, writing a sample script, creating a regression test, making a presentation - oh, and yes, I do work on the code as well: implementing new features, reviewing re-factoring and occasionally improving some old code!

Furthermore, time permitting, I try to read several forensic message boards. I appreciate the work that forensic examiners do. Thus, I like to answer questions that are in areas where I consider myself knowledgeable and with something useful to offer...

Thursday, March 18, 2010

Forensic Focus is delighted to announce that this month sees the start of regular columns written by some of the most knowledgeable and experienced professionals in the computer forensics industry and related fields. Aiming to cover a broad range of topics, columnists will be offering their perspectives on real world digital forensics, research and education, forensic software development, legal issues and computer security (to name but a few!)

Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years.

Dan Gaskell is a Solicitor and Higher Courts Advocate with Tuckers Solicitors. Tuckers operates from offices in Birmingham, London and Manchester and provides advice and assistance in all aspects of criminal defence law.

Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. Chris is involved to some extent in all of the Centre's core activities: Education, Research and Consultancy. Chris's main focus is research but he also teaches on several of the modules within Cranfield's MSc programme.

Sean McLinden, MD, is the President and CEO of Outcome Technology Associates, Inc. (OTA), a provider of digital forensics, incident response., eDiscovery and litigation support services to clients in the US and abroad. Trained as a neurologist, McLinden applies the same methodologies he uses as a diagnostician to problems in digital forensics.

Dominik Weber is a Senior Software Architect for Guidance Software, Inc. He has a Masters of Computer Science from the University of Karlsruhe, Germany and worked for video game companies (Activision) and on computer animation / motion-capture projects (Jay Jay the Jet Plane) before joining Guidance Software in 2001.

Friday, March 05, 2010

Last week, I received a phone call to perform a sensitive acquisition for Law Enforcement. A tragedy really, but out of it arises a short story of success with modern forensics tools.

When I arrived on scene I was briefed and went to search for the requisite equipment to perform the acquisition. As it turned out, the entire stock of wiped drives was gone. A 500GB drive was located, but it needed to be wiped. Wiping a 500GB drive takes up to a few hours, so that was no good. I did have some clean space on an acquisition RAID device though. Given the sensitivities of the operation I had to do this quickly, efficiently, and right the first time. The margin for error was slim as there was information on the desktop that couldn't be lost.

I went for the Ace up the sleeve. I had up to this point only used it in testing, but I went for a tool I knew could trust. The tool was none other than F-response TACTICAL. Yeah that's right, I went for live imaging in a Law Enforcement case. There are still plenty of those doubters and naysayers out there, so let me be clear. The time to adapt has passed, the need to preserve evidence when lives are at stake is paramount. It's time you adopt modern techniques. There is no such thing as forensic purity, in any forensic discipline when you've got volatile evidence. That's a myth created by those that have never worked in the field.

Photos taken, and requisite documentation completed, I plugged the victim system in to a local switch I had for this purpose. I then proceeded to insert the subject dongle in to the subject computer. I quickly popped the examiner dongle in to my station attached to the acquisition RAID. Configuration, always quick, included physical memory. Then I simply clicked on "auto connect" on the examiner console. Just like that, the disk and memory objects I needed were exposed. Firing up FTK imager, I made the acquisitions I needed. The case proceeded as many do, with hurried phone calls and stress like no normal incident can create. The evidence was secured for examination and the subject laptop was turned over.

I'm an Incident Responder, and a Forensic Examiner. I need tools I can rely on, tools that work in the clutch, tools that don't break the bank, tools to use when life and limb are at stake. For me, that's F-response. A very big thanks to Matt Shannon and the folks at F-response. I'm not sure how the field got along without you and you've made technology available that makes a real difference.

Monday, March 01, 2010

American InterContinental University (US)Arapahoe Community College (US)Marshall University (US)Lawrence Technological University (US)Harper College (US)California Sciences Institute (US)Lenoir Community College (US)Regis University (US)Boston University (US)University of Rhode Island (US)Catawba Valley Community College (US)Sheffield Hallam University (UK)Macquarie University (Australia)Dalarna University (Sweden)Universiteit van Amsterdam (Netherlands)